Regulation compliance is getting more and more important for software systems that process andmanage sensitive information. Therefore, identifying and analysing relevant legal regulations and aligning themwith security requirements become necessary for the effective development of secure software systems.Nevertheless, Secure Software Engineering Modelling Languages (SSEML) use different concepts andterminology from those used in the legal domain for the description of legal regulations. This situation, togetherwith the lack of appropriate background and knowledge of laws and regulations, introduces a challenge forsoftware developers. In particular, it makes difficult to perform (i) the elicitation of appropriate securityrequirements from the relevant laws and regulations; and (ii) the correct tracing of the security requirementsthroughout the development stages. This paper presents a framework to support the consideration of laws andregulations during the development of secure software systems. In particular, the framework enables softwaredevelopers (i) to correctly elicit security requirements from the appropriate laws and regulations; and (ii) to tracethese requirements throughout the development stages in order to ensure that the design indeed supports therequired laws and regulations. Our framework is based on existing work from the area of secure softwareengineering, and it complements this work with a novel and structured process and a well-defined method. Apractical case study is employed to demonstrate the applicability of our work.

Pavlidis, Michalis, Islam, S. and Mouratidis, Haralambos 2012. A CASE tool to support automated modelling and analysis of security requirements. in: IS Olympics: Information Systems in a Diverse World Springer.